[OAUTH-WG] review of draft-ietf-oauth-attestation-based-client-auth-04

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Mon, 28 October 2024 23:38 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCB13C14F61B for <oauth@ietfa.amsl.com>; Mon, 28 Oct 2024 16:38:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9PVKtP6BHJ4g for <oauth@ietfa.amsl.com>; Mon, 28 Oct 2024 16:38:22 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6046DC14EB19 for <oauth@ietf.org>; Mon, 28 Oct 2024 16:38:22 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-5c935d99dc5so5501608a12.1 for <oauth@ietf.org>; Mon, 28 Oct 2024 16:38:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1730158700; x=1730763500; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=ytlERKB8Z9j/6OkQTfs3vEOryekXuVAuQHKWjHJ5YPk=; b=LoqAiJDX13ngSzywSL8s68oFeSTHWKfgpJyShFxfKTKBGU45YjNFYW9YqhZbzk1YXD lvCiWFKVnsCLWLFrq5oiqdUMirluAAldqAwJoao3FeCC8Bjn0ZwDBZVIGp+HrDAQ5Ykj in/3MacOnWHLEg3ovrHy0Iey0fUNE/q7GftbfQMiNvK1gQQ1dnaaYZI+EEhpNhC39vyW tGmaElPmaLcIvEklJ4qlHl/h0WPJYFeffpAVMDthwM2gSLopERv0Pg7NRVkpl40qXr6W zAaPTNHgd+oLBkYIDwz4TSQ1JcIgvQOq9IhD62+r1AdI53XpLO3Ev9YbSZu3ipg3ew4z u08Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730158700; x=1730763500; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=ytlERKB8Z9j/6OkQTfs3vEOryekXuVAuQHKWjHJ5YPk=; b=Ug2PWfR/96+jlmnAA3l+8IG+K++bMyF4LH9PmQSus/nlYNc8HDeZeTg26iT4JviYJj 7mbZf0ETggUJVI+oYgdV+7pZB50ShHTjDBhmqnzncg+e0GX2QoDdMU++AC4Qies5G+c7 p5wtLEbLP0i6P5C8gv/V5WAenJSgn7OGbRMwY1KNvjVN67pnAKXAEqqYjy7LWiVqzmMr jNlp0HfIq3f34kAPqHXKT3Kzfyvh6CAu6jN831GzBnpINyKdOpHWmOSQ8Xentre+ZPXs h9JOWTPxE1DlpFPncdjrn872sotPOqD6C5X3L2kjiwG5Dyze4rDROPulMKbEU5v6gkZk G4iA==
X-Gm-Message-State: AOJu0YxLHSxkHuPfvUncdpEVBrDb9Um9L2PJ/6YM2wTbOjz16Yk9r0cg By25vLLZaBSEGq0Y1OKP/6ojUl5r9l9mOr8sq8huTDkokDmvnDfahPvLiYHrKqAay/oNczj0iFU H3Y9qldgr7Ak7DCAlTu3jgXbZi64ZLI4Z
X-Google-Smtp-Source: AGHT+IGjyV2bE9TwWjZd853w6zYYQFZWvI0BA1+P0T6o09oztTCG3LgAYRJAX2KFB6VxJtvuujejds1ObCbqHcQCKUA=
X-Received: by 2002:a05:6402:280f:b0:5cb:674f:b0fc with SMTP id 4fb4d7f45d1cf-5cbbf947c01mr7515365a12.23.1730158700129; Mon, 28 Oct 2024 16:38:20 -0700 (PDT)
MIME-Version: 1.0
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Mon, 28 Oct 2024 19:37:43 -0400
Message-ID: <CAHbuEH7xxNa_ktktkLXqa3GqvNH1gFjDnm+HATUeNQuL03sjxg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b9faeb062591f6ac"
Message-ID-Hash: TO25WB5I5KFONUJAEO435HX5TEJNRTEY
X-Message-ID-Hash: TO25WB5I5KFONUJAEO435HX5TEJNRTEY
X-MailFrom: kathleen.moriarty.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] review of draft-ietf-oauth-attestation-based-client-auth-04
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Cptzjz7ihluabEh24IiMO0pdqVo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Greetings!

I was reviewing:

OAuth 2.0 Attestation-Based Client Authentication

           draft-ietf-oauth-attestation-based-client-auth-04


and think there's an opportunity to increase clarity. I assume by
mentioning attestations, the draft means that a key created off of the root
of trust (like the AIK/AK key in a TPM) will be used to sign evidence so
that you are authenticating the client is the one for whom the root of
trust (EK) resides. However, this is never stated, so it's not clear. With
attestation, it is still best to spell out exactly what is meant as many
are coming up to speed familiarizing themselves with it.


How authentication is actually provided in this method should be explicitly
stated.

Section 8.2 could make it more clear as well as earlier in the draft.

This draft references section 2.2 or RFC7523 and you'll see that it has a
clear explanation of the credentials that assist in authentication. For
attestation, the evidence is verified along with the digital signature on
that evidence.

I hope this is helpful!
-- 

Best regards,
Kathleen